What You Need To Know About EU Data Privacy And Blockchain

Last week, the EU brought into force the General Data Protection Regulation (GDPR) – the biggest change in data privacy legislation in the last 20 years. Even if you live outside the EU, chances are your inbox has been inundated with notices about changes to the privacy policy of every company you ever handed your email address to. Data privacy and blockchain have so far appeared to go hand in hand.

But what will be the impact of the new EU legislation on the use of blockchain, given that the technology has already demonstrated such huge potential in the field of data management?

Aims of the GDPR

The GDPR has introducedsweeping changes to the way that companies and websites manage and process the data of their users. This includes explicit rights for users to request copies of their personal data. If they wish, they can also request for it to be deleted.

In addition, companies are required to report any breach–and they face heavy penalties for such a breach. The GDPR applies not just to those data processors who operate in the EU. It also applies to any company or site who has clients or customers that are based in the EU. Hence, the universal flooding of all our inboxes.

The GDPR legislation largely came about as a result ofEU outrage over the spying activities of the NSA, leaked by Edward Snowden in 2013. Since then, we have seen several high profile scandals, most recently the one involving Facebook and Cambridge Analytica. Such scandals seem to justify the necessity of regulation.

Photo by Thought Catalog on Unsplash

But therein lies the problem of trying to protect user privacy as a matter of policy. Regulation is backward-looking. The GDPR only came after some of the most high-profile data breaches had already happened.

The EU and the governments of its member states cannot peer into the black boxes of cybersecurity measures used by Facebook or Google. Neither can they police the vastness of the web to ensure GDPR compliance.

Regulators will only deal with complaints and breaches of data privacy as and when they are reported, after the proverbial horse has already bolted.

Data Privacy and Blockchain

Many in the blockchain communitypointed out that the use of blockchain could have prevented the Facebook/Cambridge Analytica scandal from happening in the first place.

Private encryption keys could allow users to choose to whom their data is released, and smart contracts could govern how data is used. This provides insurance for users against any misuse of data by the parties who have received consent to use it.

The immutability of blockchain also means that nobody can tamper with data once it is recorded. Data privacy and blockchain certainly seem to work together well.

Blockchain’s Incompatibility with the GDPR

The regulatory focus on blockchain to date has been predominantly around the financial regulation of ICOs and the trading of digital currencies. However, as things stand, the GDPR has created something of a paradox for data privacy and blockchain.

The legislation was written with an eye on online communications and cloud storage. Therefore, it includes explicit rules around user rights to be forgotten–by having their personal data erased upon request. This presents a problem for the inherent immutability of blockchain, as we cannot go back in time and erase data once it is recorded.

Additionally, the GDPR requires organizations to have a data controller to handle such user requests. As a decentralized database, blockchain does not have any one person in control of the data. To whom could a user even direct such a request?

Solving the Paradox

There are a couple of points to be made here. Firstly, the GDPR has taken years to come to fruition, in which time striding developments in blockchain have been made. Campaign groupsare already lobbying for Bitcoin to be excluded from the scope of the GDPR.

It is possible that EU legislators may eventually respond to such campaigns by making specific provisions for blockchain technology. If this does happen, given how long it took for the existing legislation to come into force, it may well be a slow process.

Brussels, the seat of the EU. Photo by Marius Badstuber on Unsplash

Secondly, the blockchain community is alreadyspeculating over whether the destruction of a private key may effectively be the same as “being forgotten.”

After all, the loss of a Bitcoin private key is tantamount to flushing digital currency down the toilet. If users can destroy their private key such that nobody can access their blockchain data anymore, perhaps this may ultimately satisfy the terms of the GDPR’s right to be forgotten. It is yet to be tested.

Data Privacy and Blockchain Companies

No blockchain has yet been proven to be GDPR compliant or otherwise. But a number of blockchain companies are already directly dealing with user data and privacy. It is possible or even likely that some blockchain projects may have to amend their offering to remain compliant, post-GDPR.

Parity ICO Services offer KYC services to ICOs and store background checks on the blockchain. Theyannounced on May 18th that they would, unfortunately, be shutting down due to the significant resources required to ensure GDPR-compliance.

Off-chain Solutions

Civic is a company offering ID verification services. Their approach to data privacy and blockchain may be a model that better complies with the GDPR. Rather than storing personal data on the blockchain, the Civic tool verifies user identity off-chain.

A simple attestation to the veracity of the data is stored on-chain–the data itself is not. Personal data is actually stored by the user on their phone memory using the Civic app.

Parties wishing to verify identity can take the blockchain attestation, or request additional data via the app. The user can decide if they wish to share this data, controlling access via the app.

Storing personal data off-chain in this way may be a compliant workaround, and is currently recommended by IBM in the March 2018 paper they released covering the topic of GDPR and blockchain. IBM is also working with SecureKey to establish a digital identity toolkit using a similar off-chain solution to the one deployed by Civic.

Of course, such off-chain solutions miss the opportunity to exploit the security benefits of storing data on the blockchain.

Other blockchain solutions dealing with provisions directly addressed by the GDPR include file or cloud storage solutions. AI startups using Big Data and crowd sentiments to make predictions may also be affected.

Our interview with David Sønstebø, co-founder of IOTA, touches on his views on the introduction of the GDPR. Ultimately, we will have to wait and see how the GDPR will affect the many blockchain companies driven by data.